This detection rule identifies potentially malicious PDF attachments in emails that are linked to credential theft, specifically those pointing to free subdomains. The rule operates by analyzing inbound messages for several key indicators. It checks if the content within the email's current thread contains Intent classifications relating to credential theft, focusing on those with a confidence level deemed medium to high. It also targets attachments, particularly those with a '.pdf' file extension, performing an extensive analysis on URLs contained within these files. The rule considers whether the URLs reference domains registered as free subdomains and ensures they do not include the ‘www’ prefix. In addition, it leverages Optical Character Recognition (OCR) to scan for similar credential theft intents in the raw text of the PDFs. Furthermore, the rule requires that messages originate from senders that are not on a solicited list, or from those who have previously sent malicious or spam messages, enhancing its accuracy in flagging unsolicited communications. False positives from the sender are systematically excluded, ensuring that only genuine threats are identified and reported.